Which of the following roles do you currently have open - data scientist, data engineer, data protection officer? If you asked this of ten organisations, chances are that six would opt for the DS, three for the DE and just one (at best) for a DPO.
Yet if you were to model the impact on your organisation in both the short- and mid-term, appointing a DPO might give you the greatest return. As Peter Galdies, director of DQM GRC, says: “It’s not that you have to hire a DPO, it is that you should want one.”
So what’s the deal when, for many organisations, this role is not mandated by the General Data Protection Regulation? Or they have been scared off by the high-level at which a DPO is supposed to report?
For those in the public sector, there is no choice since the Regulation is clear that they are obliged to have a DPO, reflecting the sensitivity of much of the data it handles and also the fact that citizens have no choice but to provide their personal information when accessing government services.
21.4% of companies say finding a DPO is their number one compliance challenge.
That could account for many of the 7,000 trained practitioners which GO DPO estimated in 2016 would be required. It may also be why 21.4% of companies in the DataIQ GDPR Impact survey said that finding a DPO was the number one challenge for their compliance programme.
But the two other conditions where GDPR mandates making this appointment are more compelling. One of them is those organisations which are involved in the systematic processing of special categories of data. These are defined as: “racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.”
It is easy to believe the variables you are processing are not special in this way, until you think about the implications of any niche positioning you might inhabit. Are any of your products or services clearly intended for the LGBTQ community? Do your customers’ online habits indicate their political allegiance (or have you inferred this from the data you collect? You may be just one analyst with an enquiring mind away from falling under this classification.
The other reason for having a DPO according to GDPR is if you are monitoring data subjects on a large scale. While the threshold is not defined, it could kick in as low as 10,000 individuals (the point at which an early draft of the Regulation set the bar). In any case, data processing these data soon escalates in scale, which could make your counter-argument hard to carry.
But even if a strict interpretation of GDPR leaves relatively few, large organisations with a prime facie obligation to employ a DPO, there are other considerations. As Galdies says: “If you think you might need one, then you probably should have one - regardless of the law.”
The single biggest reason for hiring a DPO is that it should lower your business risk.
For one thing, your customers may well expect it of your company. As understanding of GDPR and the rights it confers grows among the public, DPOs will no longer be that mysterious job title hiding at the bottom of emails in the small print just in case. They can also not be a simple add-on to somebody’s day job - on that point, the Regulation is very clear. Independence, authority and funding are core dimensions of the role.
Perhaps the single biggest reason for hiring a DPO is that it should both lower your business risk (by having someone who clearly understands and manages the rules) and simultaneously enables your business to take an optimal position for making best use of the data assets you have. Just look at all the poorly-advised businesses mandating opt-in consent for situations which are neither necessary or even advantageous to their customers.
And as Galdies explains, the options for deploying a DPO are not restricted to having a direct employee. “While the appointment of a full time high level DPO is probably the most optimal route for larger organisations, smaller ones might consider sharing a DPO with others as an outsourced resource. This provides all the benefits of having regular full-time access to a knowledgeable resource, ensuring and managing that your privacy programme is on track and providing education and training to key staff, but at a level of commitment that is more accessible to small and medium-sized organisations.”
Much of what creates compliance with GDPR is based in the principle of accountability, which a DPO certainly provides. There is also an emphasis on what data subjects expect - having somebody who is responsible for engaging with consumer rights will be part of that. Few consumers probably expect you to have a data scientist (and none that you have a data engineer).
From accountants to lawyers, hiring professional services that are essential from external sources has become common business practice. All of those help to keep the business running, but are not permanent hires. DPOs operate at a similar level. So when you do acknowledge that you need one, it is the service you need to put in place, not a new desk.
This article is the fifth in a ten-week series by DataIQ in association with our GDPR partner, DQM GRC. For more information on the solutions it offers, visit dqmgrc.com.